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UNITED STATES OF AMERICA 
BEFORE THE FEDERAL TRADE COMMISSION 


COMMISSIONERS: Jon Leibowitz, Chairman 
William E. Kovacic 
J. Thomas Rosch 
Edith Ramirez 
Julie Brill 


In the Matter of 
DOCKET NO: C-4316 
TWITTER, INC., 
a corporation. 
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DECISION AND ORDER 


The Federal Trade Commission, having initiated an investigation of certain acts and 
practices of the respondent named in the caption hereof, and the respondent having been 
furnished thereafter with a copy of a draft Complaint that the Bureau of Consumer Protection 
proposed to present to the Commission for its consideration and which, if issued, would charge 
the respondent with violation of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.; 


The respondent and counsel for the Commission having thereafter executed an 
Agreement Containing Consent Order (“Consent Agreement”), an admission by the respondent 
of all the jurisdictional facts set forth in the aforesaid draft Complaint, a statement that the 
signing of said Consent Agreement is for settlement purposes only and does not constitute an 
admission by the respondent that the law has been violated as alleged in such Complaint, or that 
the facts as alleged in such Complaint, other than jurisdictional facts, are true, and waivers and 
other provisions as required by the Commission’s Rules; and 


The Commission having thereafter considered the matter and having determined that it 
has reason to believe that the respondent has violated the Federal Trade Commission Act, and 
that a Complaint should issue stating its charges in that respect, and having thereupon accepted 
the executed Consent Agreement and placed such Consent Agreement on the public record for a 
period of thirty (30) days for the receipt and consideration of public comments, and having duly 
considered the comments received from interested persons, now in further conformity with the 
procedure described in Commission Rule 2.34, 16 C.F.R. § 2.34, the Commission hereby issues 
its Complaint, makes the following jurisdictional findings, and enters the following Order: 
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l. Respondent Twitter, Inc. (“Twitter”) is a Delaware corporation with its principal office 
or place of business at 795 Folsom Street, Suite 600, San Francisco, CA 94103. 


2; The Federal Trade Commission has jurisdiction of the subject matter of this proceeding 
and of the Respondent, and the proceeding is in the public interest. 


ORDER 
DEFINITIONS 
For purposes of this order, the following definitions shall apply: 


1. Unless otherwise specified, “respondent” shall mean Twitter, its successors and assigns, 
officers, agents, representatives, and employees. 


2. “Consumer” shall mean any person, including, but not limited to, any user of 
respondent’s services, any employee of respondent, or any individual seeking to become 
an employee, where “employee” shall mean an agent, servant, salesperson, associate, 
independent contractor, or other person directly or indirectly under the control of 
respondent. 


3. “Nonpublic consumer information” shall mean nonpublic, individually-identifiable 
information from or about an individual consumer, including, but not limited to, an 
individual consumer’s: (a) email address; (b) Internet Protocol (“IP”) address or other 
persistent identifier; (c) mobile telephone number; and (d) nonpublic communications 
made using respondent’s microblogging platform. “Nonpublic consumer information” 
shall not include public communications made using respondent’s microblogging 
platform. 


4. “Administrative control of Twitter” shall mean the ability to access, modify, or operate 
any function of the Twitter system by using systems, features, or credentials that were 
designed exclusively for use by authorized employees or agents of Twitter. 


5: “Commerce” shall mean as defined in Section 4 of the Federal Trade Commission Act, 
15 U.S.C. § 44. 


IT IS ORDERED that respondent, directly or through any corporation, subsidiary, 
division, website, or other device, in connection with the offering of any product or service, in or 
affecting commerce, shall not misrepresent in any manner, expressly or by implication, the 
extent to which respondent maintains and protects the security, privacy, confidentiality, or 
integrity of any nonpublic consumer information, including, but not limited to, 
misrepresentations related to its security measures to: (a) prevent unauthorized access to 
nonpublic consumer information; or (b) honor the privacy choices exercised by users. 
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II. 


IT IS FURTHER ORDERED that respondent, directly or through any corporation, 
subsidiary, division, website, or other device, in connection with the offering of any product or 
service, in or affecting commerce, shall, no later than the date or service of this order, establish 
and implement, and thereafter maintain, a comprehensive information security program that is 
reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic 
consumer information. Such program, the content and implementation of which must be fully 
documented in writing, shall contain administrative, technical, and physical safeguards 
appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, 
and the sensitivity of the nonpublic consumer information, including: 


A. the designation of an employee or employees to coordinate and be accountable for 
the information security program. 


B. the identification of reasonably-foreseeable, material risks, both internal and 
external, that could result in the unauthorized disclosure, misuse, loss, alteration, 
destruction, or other compromise of nonpublic consumer information or in unauthorized 
administrative control of the Twitter system, and an assessment of the sufficiency of any 
safeguards in place to control these risks. At a minimum, this risk assessment should 
include consideration of risks in each area of relevant operation, including, but not 
limited to: (1) employee training and management; (2) information systems, including 
network and software design, information processing, storage, transmission, and 
disposal; and (3) prevention, detection, and response to attacks, intrusions, account 
takeovers, or other systems failures. 


C. the design and implementation of reasonable safeguards to control the risks 
identified through risk assessment, and regular testing or monitoring of the effectiveness 
of the safeguards’ key controls, systems, and procedures. 


D. the development and use of reasonable steps to select and retain service providers 
capable of appropriately safeguarding nonpublic consumer information such service 
providers receive from respondent or obtain on respondent’s behalf, and the requirement, 
by contract, that such service providers implement and maintain appropriate safeguards; 
provided, however, that this subparagraph shall not apply to personal information about a 
consumer that respondent provides to a government agency or lawful information 
supplier when the agency or supplier already possesses the information and uses it only 
to retrieve, and supply to respondent, additional personal information about the 
consumer. 
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oa the evaluation and adjustment of respondent’s information security program in 
light of the results of the testing and monitoring required by subparagraph C, any 
material changes to respondent’s operations or business arrangements, or any other 
circumstances that respondent knows or has reason to know may have a material impact 
on the effectiveness of its information security program. 


II. 


IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph II 
of this order, respondent shall obtain initial and biennial assessments and reports 
(“Assessments”) from a qualified, objective, independent third-party professional, who uses 
procedures and standards generally accepted in the profession. Professionals qualified to prepare 
such assessments shall be: a person qualified as a Certified Information System Security 
Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding 
Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, 
Security (SANS) Institute; or a similarly qualified person or organization approved by the 
Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade 
Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: 
(1) the first one hundred and eighty (180) days after service of the order for the initial 
Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the 
order for the biennial Assessments. Each Assessment shall: 


A. set forth the specific administrative, technical, and physical safeguards that 
respondent has implemented and maintained during the reporting period; 


B. explain how such safeguards are appropriate to respondent’s size and complexity, 
the nature and scope of respondent’s activities, and the sensitivity of the nonpublic 
personal information collected from or about consumers; 


C. explain how the safeguards that have been implemented meet or exceed the 
protections required by Paragraph II of this order; and 


D. certify that respondent’s security program is operating with sufficient 
effectiveness to provide reasonable assurance to protect the security, privacy, 
confidentiality, and integrity of nonpublic consumer information and that the program 
has so operated throughout the reporting period. 


Each Assessment shall be prepared and completed within sixty (60) days after the end of the 
reporting period to which the Assessment applies. Respondent shall provide the initial 
Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal 
Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been 
prepared. All subsequent biennial Assessments shall be retained by respondent until the order is 
terminated and provided to the Associate Director of Enforcement within ten (10) days of 
request. 
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IV. 


IT IS FURTHER ORDERED that respondent shall maintain and upon request make 
available to the Federal Trade Commission for inspection and copying, a print or electronic copy 
of: 


A. for a period of three (3) years from the date of preparation or dissemination, 
whichever is later, all widely-disseminated statements, including, but not limited to, 
statements posted on respondent’s website that describe the extent to which respondent 
maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic 
consumer information, with all materials relied upon in making or disseminating such 
statements, except that respondent shall not be required to provide any such statements 
that are made using the Twitter microblogging platform; 


B. for a period of six (6) months from the date received, all consumer complaints 
directed at respondent, or forwarded to respondent by a third party, that relate to 
respondent’s activities as alleged in the draft complaint and any responses to such 
complaints; 


C. for a period of two (2) years from the date received, copies of all subpoenas and 
other communications with law enforcement entities or personnel, if such 
communications raise issues that relate to respondent’s compliance with the provisions of 
this order; 


D. for a period of five (5) years from the date received, any documents, whether 
prepared by or on behalf of respondent, that contradict, qualify, or call into question 
respondent’s compliance with this order; and 


E. for a period of three (3) years after the date of preparation of each Assessment 
required under Part III of this order, all materials relied upon to prepare the Assessment, 
whether prepared by or on behalf of the respondent, including but not limited to all plans, 
reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, 
for the compliance period covered by such Assessment. 


V. 


IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all 
current and future principals, officers, directors, and managers, and to all current and future 
employees, agents, and representatives having responsibilities relating to the subject matter of 
this order. Respondent shall deliver this order to such current personnel within thirty (30) days 
after service of this order, and to such future personnel within thirty (30) days after the person 
assumes such position or responsibilities. 
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VI. 


IT IS FURTHER ORDERED that respondent shall notify the Commission at least 
thirty (30) days prior to any change in the corporation that may affect compliance obligations 
arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or 
other action that would result in the emergence of a successor corporation; the creation or 
dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this 
order; the proposed filing of a bankruptcy petition; or a change in either corporate name or 
address. Provided, however, that, with respect to any proposed change in the corporation about 
which respondent learns less than thirty (30) days prior to the date such action is to take place, 
respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. 
All notices required by this Paragraph shall be sent by certified mail to the Associate Director, 
Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 
Washington, D.C. 20580. 


VIL 


IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after the date 
of service of this order file with the Commission a true and accurate report, in writing, setting 
forth in detail the manner and form in which respondent has complied with this order. Within 
ten (10) days of receipt of written notice from a representative of the Commission, respondent 
shall submit additional true and accurate written reports. 


VIII. 


This order will terminate on March 2, 2031, or twenty (20) years from the most recent 
date that the United States or the Commission files a complaint (with or without an 
accompanying consent decree) in federal court alleging any violation of the order, whichever 
comes later; provided, however, that the filing of such a complaint will not affect the duration of: 


A. any Part in this order that terminates in fewer than twenty (20) years; 
B. this order if such complaint is filed after the order has terminated pursuant to this 
Part. 


Provided, further, that if such complaint is dismissed or a federal court rules that respondent did 
not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld 
on appeal, then the order as to such respondent will terminate according to this Part as though 
the complaint had never been filed, except that the order will not terminate between the date 
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such complaint is filed and the later of the deadline for appealing such dismissal or ruling and 
the date such dismissal or ruling is upheld on appeal. 


By the Commission. 


Donald S. Clark 
Secretary 


SEAL 
ISSUED: March 2, 2011 
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